diff --git a/charts/ceph-csi-cephfs/README.md b/charts/ceph-csi-cephfs/README.md index 302bec8d5..815e2539c 100644 --- a/charts/ceph-csi-cephfs/README.md +++ b/charts/ceph-csi-cephfs/README.md @@ -156,6 +156,7 @@ charts and their default values. | `secret.name` | Specifies the cephFS secret name | `csi-cephfs-secret` | | `secret.adminID` | Specifies the admin ID of the cephFS secret | `` | | `secret.adminKey` | Specifies the key that corresponds to the adminID | `<Ceph auth key corresponding to ID above>` | +| `selinuxMount` | Mount the host /etc/selinux inside pods to support selinux-enabled filesystems | `true` | ### Command Line diff --git a/charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml b/charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml index ebcd242d1..27c85b194 100644 --- a/charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml +++ b/charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml @@ -112,9 +112,11 @@ spec: name: host-mount - mountPath: /sys name: host-sys +{{- if .Values.selinuxMount }} - mountPath: /etc/selinux name: etc-selinux readOnly: true +{{- end }} - mountPath: /lib/modules name: lib-modules readOnly: true @@ -176,9 +178,11 @@ spec: - name: host-sys hostPath: path: /sys +{{- if .Values.selinuxMount }} - name: etc-selinux hostPath: path: /etc/selinux +{{- end }} - name: host-mount hostPath: path: /run/mount diff --git a/charts/ceph-csi-cephfs/templates/nodeplugin-psp.yaml b/charts/ceph-csi-cephfs/templates/nodeplugin-psp.yaml index 884d4fbee..197a865c8 100644 --- a/charts/ceph-csi-cephfs/templates/nodeplugin-psp.yaml +++ b/charts/ceph-csi-cephfs/templates/nodeplugin-psp.yaml @@ -40,8 +40,10 @@ spec: readOnly: false - pathPrefix: '/sys' readOnly: false +{{- if .Values.selinuxMount }} - pathPrefix: '/etc/selinux' readOnly: true +{{- end }} - pathPrefix: '/lib/modules' readOnly: true - pathPrefix: '{{ .Values.kubeletDir }}' diff --git a/charts/ceph-csi-cephfs/values.yaml b/charts/ceph-csi-cephfs/values.yaml index 0cfd35b70..0fa042d9b 100644 --- a/charts/ceph-csi-cephfs/values.yaml +++ b/charts/ceph-csi-cephfs/values.yaml @@ -201,6 +201,10 @@ provisioner: podSecurityPolicy: enabled: false +# Mount the host /etc/selinux inside pods to support +# selinux-enabled filesystems +selinuxMount: true + topology: # Specifies whether topology based provisioning support should # be exposed by CSI diff --git a/charts/ceph-csi-rbd/README.md b/charts/ceph-csi-rbd/README.md index 132afadb7..7c30ec16c 100644 --- a/charts/ceph-csi-rbd/README.md +++ b/charts/ceph-csi-rbd/README.md @@ -175,6 +175,7 @@ charts and their default values. | `secret.userID` | Specifies the user ID of the rbd secret | `<plaintext ID>` | | `secret.userKey` | Specifies the key that corresponds to the userID | `<Ceph auth key corresponding to ID above>` | | `secret.encryptionPassphrase` | Specifies the encryption passphrase of the secret | `test_passphrase` | +| `selinuxMount` | Mount the host /etc/selinux inside pods to support selinux-enabled filesystems | `true` | ### Command Line diff --git a/charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml b/charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml index eaa8fc5ac..acdae8e8b 100644 --- a/charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml +++ b/charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml @@ -109,9 +109,11 @@ spec: name: host-mount - mountPath: /sys name: host-sys +{{- if .Values.selinuxMount }} - mountPath: /etc/selinux name: etc-selinux readOnly: true +{{- end }} - mountPath: /lib/modules name: lib-modules readOnly: true @@ -193,9 +195,11 @@ spec: - name: host-sys hostPath: path: /sys +{{- if .Values.selinuxMount }} - name: etc-selinux hostPath: path: /etc/selinux +{{- end }} - name: lib-modules hostPath: path: /lib/modules diff --git a/charts/ceph-csi-rbd/templates/nodeplugin-psp.yaml b/charts/ceph-csi-rbd/templates/nodeplugin-psp.yaml index 45e5af85d..5fc5c48d5 100644 --- a/charts/ceph-csi-rbd/templates/nodeplugin-psp.yaml +++ b/charts/ceph-csi-rbd/templates/nodeplugin-psp.yaml @@ -40,8 +40,10 @@ spec: readOnly: false - pathPrefix: '/sys' readOnly: false +{{- if .Values.selinuxMount }} - pathPrefix: '/etc/selinux' readOnly: true +{{- end }} - pathPrefix: '/lib/modules' readOnly: true - pathPrefix: '{{ .Values.cephLogDirHostPath }}' diff --git a/charts/ceph-csi-rbd/values.yaml b/charts/ceph-csi-rbd/values.yaml index eaa578b6e..657e8b284 100644 --- a/charts/ceph-csi-rbd/values.yaml +++ b/charts/ceph-csi-rbd/values.yaml @@ -399,6 +399,10 @@ storageClass: # mountOptions: # - discard +# Mount the host /etc/selinux inside pods to support +# selinux-enabled filesystems +selinuxMount: true + secret: # Specifies whether the secret should be created create: false